Security devices may be used for protecting data and/or networks. For example, network-based intrusion prevention systems (IPSs) are inline security devices designed to monitor network traffic for malicious traffic such as exploits targeting published vulnerabilities on client and server applications. An IPS generally inspects, identifies, logs, and attempts to block malicious traffic while allowing legitimate or benign traffic to flow between trusted and untrusted network segments. However, incorrect signatures (e.g., IPS filters) defined for an IPS to detect and block traffic considered malicious can lead to incorrectly blocking benign traffic, which can negatively impact end users.
Data leakage prevention systems (DLPSs) are another type of security device. A DLPS is designed to prevent confidential information from being leaked, e.g., to an unapproved or untrusted entity or network. A DLPS may use signatures or filters to scan and determine whether outgoing information is confidential. If outgoing information is confidential and destined for untrusted entity, the DLPS may prevent the transfer. However, if the outgoing information is non-confidential or the recipient or destination is trusted, the DLPS may allow the transfer. To prevent excessive and unnecessary communications interruptions, it is important that the DLPS correctly identifies confidential and non-confidential information.
Accordingly, in light of these difficulties, a need exists for methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic.